From 21a901c1dce962a9cfa0dc49164de9c2e9872700 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Fri, 18 Feb 2022 08:38:36 +0100 Subject: [PATCH] assign net delegated grants by env --- fast/stages/01-resman/branch-data-platform.tf | 2 +- fast/stages/02-networking-nva/spoke-dev.tf | 5 ++++- fast/stages/02-networking-nva/spoke-prod.tf | 5 ++++- fast/stages/02-networking-vpn/spoke-dev.tf | 5 ++++- fast/stages/02-networking-vpn/spoke-prod.tf | 5 ++++- 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/fast/stages/01-resman/branch-data-platform.tf b/fast/stages/01-resman/branch-data-platform.tf index 2684a6a1..0374219f 100644 --- a/fast/stages/01-resman/branch-data-platform.tf +++ b/fast/stages/01-resman/branch-data-platform.tf @@ -33,11 +33,11 @@ module "branch-dp-dev-folder" { group_iam = {} iam = { # remove owner here and at project level if SA does not manage project resources + "roles/compute.xpnAdmin" = [module.branch-dp-dev-sa.iam_email] "roles/logging.admin" = [module.branch-dp-dev-sa.iam_email] "roles/owner" = [module.branch-dp-dev-sa.iam_email] "roles/resourcemanager.folderAdmin" = [module.branch-dp-dev-sa.iam_email] "roles/resourcemanager.projectCreator" = [module.branch-dp-dev-sa.iam_email] - "roles/compute.xpnAdmin" = [module.branch-dp-dev-sa.iam_email] } } diff --git a/fast/stages/02-networking-nva/spoke-dev.tf b/fast/stages/02-networking-nva/spoke-dev.tf index cbb721ec..3c3cd3d6 100644 --- a/fast/stages/02-networking-nva/spoke-dev.tf +++ b/fast/stages/02-networking-nva/spoke-dev.tf @@ -125,7 +125,10 @@ module "peering-dev" { resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" { project = module.dev-spoke-project.project_id role = "roles/resourcemanager.projectIamAdmin" - members = values(local.service_accounts) + members = [ + local.service_accounts.data-platform-dev, + local.service_accounts.project-factory-dev, + ] condition { title = "dev_stage3_sa_delegated_grants" description = "Development host project delegated grants." diff --git a/fast/stages/02-networking-nva/spoke-prod.tf b/fast/stages/02-networking-nva/spoke-prod.tf index 33cbac49..28d0b089 100644 --- a/fast/stages/02-networking-nva/spoke-prod.tf +++ b/fast/stages/02-networking-nva/spoke-prod.tf @@ -125,7 +125,10 @@ module "peering-prod" { resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" { project = module.prod-spoke-project.project_id role = "roles/resourcemanager.projectIamAdmin" - members = values(local.service_accounts) + members = [ + local.service_accounts.data-platform-prod, + local.service_accounts.project-factory-prod, + ] condition { title = "prod_stage3_sa_delegated_grants" description = "Production host project delegated grants." diff --git a/fast/stages/02-networking-vpn/spoke-dev.tf b/fast/stages/02-networking-vpn/spoke-dev.tf index a1c713ad..f6457952 100644 --- a/fast/stages/02-networking-vpn/spoke-dev.tf +++ b/fast/stages/02-networking-vpn/spoke-dev.tf @@ -102,7 +102,10 @@ module "dev-spoke-cloudnat" { resource "google_project_iam_binding" "dev_spoke_project_iam_delegated" { project = module.dev-spoke-project.project_id role = "roles/resourcemanager.projectIamAdmin" - members = values(local.service_accounts) + members = [ + local.service_accounts.data-platform-dev, + local.service_accounts.project-factory-dev, + ] condition { title = "dev_stage3_sa_delegated_grants" description = "Development host project delegated grants." diff --git a/fast/stages/02-networking-vpn/spoke-prod.tf b/fast/stages/02-networking-vpn/spoke-prod.tf index ca94cacf..09fc23a6 100644 --- a/fast/stages/02-networking-vpn/spoke-prod.tf +++ b/fast/stages/02-networking-vpn/spoke-prod.tf @@ -102,7 +102,10 @@ module "prod-spoke-cloudnat" { resource "google_project_iam_binding" "prod_spoke_project_iam_delegated" { project = module.prod-spoke-project.project_id role = "roles/resourcemanager.projectIamAdmin" - members = values(local.service_accounts) + members = [ + local.service_accounts.data-platform-prod, + local.service_accounts.project-factory-prod, + ] condition { title = "prod_stage3_sa_delegated_grants" description = "Production host project delegated grants."